Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234
This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.
pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.
The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.
Works as advertised: